IFN507 Network Systems P1: Introduction to Wireshark
Practical 1
Introduction to Wireshark
Learning Objectives
Upon completion of this practical, you will be able to:
· Configure a peer to peer network
· Test network connectivity
· Capture packets with Wireshark
Background
A packet sniffer (also known as a network analyser or protocol analyser) is a computer software tool that can intercept and log data traffic passing over a data network. It can capture data or packets as the data streams travel back and forth over the network. Wireshark is one of free and open-source packet sniffers used for network troubleshooting, analysis, software and communications protocol development and education. If you are more interested you can visit the website “https://www.wireshark.org/” which provides detailed information about Wireshark.
In this unit, you start familiarising with Wireshark and use it to appreciate the entire process of data encapsulation. You will be able to use Wireshark to capture network traffic to analyse incoming and outgoing traffic, which is a critical part of network management activities. With this unit, you will be required to use Wireshark to perform numerous lab activities throughout the semester. You will be required to download it and install it on your device.
Lab Activities
· Lab Activity 1: You will capture traffic between two PCs in a virtual lab environment.
· Lab Activity 2: You will use your PC to capture packets on the QUT or your home network.
Answer the questions as you complete the activities’ tasks.
Lab Activity 1 – Configure a peer to peer network
Topology Diagram
Figure 1.1
Activity 1, Task 1: Obtain the required resources and configure VirtualBox
Step 1: Download the required resources
1. Download the virtual lab environment from:
https://connectqutedu-my.sharepoint.com/:f:/g/personal/kanel_qut_edu_au1/ElZl06pTu7RIqWzW0nsz_wIBPLT2P5qW0vTVu8xisMj9zw. Ensure you download the virtual machines (VMs) for both PC1 and PC2. You don’t require the Server 2019 VM.
2. Download VirtualBox for your operating system and the VirtualBox Extension Pack from https://www.virtualbox.org/wiki/Downloads
3. Install VirtualBox first, and then install the extension pack
4. Extract the zipped VM images to an appropriate location on your PC.
Step 2: Import the VM images into VirtualBox and Start the machines
1. You will need to perform these tasks for both VMs
2. From the main screen in VirtualBox, on the machine menu, click add
3. Browse to the folder where you extracted the VM to and double click the .vbox to import the machine
4. All machines have been provisioned /prəˈvɪʒnd/ with the minimal resources to run (1 CPU core and 1GB of RAM). This was done to ensure the VMs could be run on relatively low specification 低规格hardware. You can increase these values depending on your individual PC setup. This could provide a smoother, faster experience. If you have the resources on your machine, it is recommended to increase the RAM to 4GB and the CPU cores to 2
5. Once the machines have been imported, you can start them by double clicking on them
6. The password to login to both VMs is 1qaz2wsx
Activity 1, Task 2: Configure a Peer-to-Peer Network
To complete this task, follow the step-by-step instructions below. Note that the following steps must be completed from both VMs. Both VMs are preconfigured to be on their own internal network isolated from your own network.
Addressing Table 1.1
Device
Interface
IPv4 Address
Subnet Mask
Default Gateway
PC1
NIC
192.168.1.2
255.255.255.0
N/A
PC2
NIC
192.168.1.3
255.255.255.0
N/A
Step 1: Assign the two designated IPv4 addresses to PC1 and PC2
1. From both PC1 and PC2, right click on Start then click on Network Connections > Change Adapter Options > select Ethernet > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties.
2. From PC1, enter the designated IPv4 address 192.168.1.2 and subnet mask 255.255.255.0 and then press OK > OK.
3. From PC2, enter the designated IPv4 address 192.168.1.3 and subnet mask 255.255.255.0 and press OK.
Step 2: Verify Connectivity
1. By default, the Windows Firewall is on to block the incoming ICMP packets. To enable your PC to receive ping replies, you need to turn off the Windows Firewall. Click on Start and then type “firewall”. From the suggestions provided by Windows, click on “Windows Defender Firewall”. Ensure you turn off the firewall for both Public and Private networks.
2. From both PC1 and PC2, click Start, and then click Command Prompt. Use the ping command to test connectivity between PC1 and PC2.
3. From the PC1 command prompt, type ping 192.168.1.3, and then press the Enter Key.
From the PC2 command prompt, type ping 192.168.1.2, and then press Enter.
Can you ping each other successfully? What output did you receive from the command prompt?
From PC1 to ping PC2
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
If the ping command fails with an error message, you need to troubleshoot the connectivity problems.
Common areas to troubleshoot:
· Check if the cable is plugged in properly or not (on real machines)
· Check if the IP addresses and subnet mask have been correctly configured on each PC
· For each VM, check in the settings in VirtualBox to ensure that the network adapter is set to ‘Internal Network’
Activity 1, Task 3: Wireshark Basics
Wireshark has been preinstalled on the PC1 and PC2 VMs from both VMs click Start > Wireshark.
To start data capture, select “Ethernet” from the list of the Capture Interfaces to capture the network traffic occurring in the peer to peer local area network.
The main display window of Wireshark has three panes as shown in the following figure:
Packet List Pane
Packet Detail Pane
Packet Bytes Pane
· The PDU[footnoteRef:1] (or Packet) List Pane at the top of the diagram displays a summary of each packet captured. By clicking on packets in this pane, you control what is displayed in the other two panes. [1: Protocol Data Unit]
· The PDU (or Packet) Detail Pane in the middle of the diagram displays the packet selected in the Packet List Pane in more detail.
· The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the actual data (in hexadecimal form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the field selected in the Packet Details Pane.
Each line in the Packet List corresponds to one PDU or Packet of the captured data. If you select a line in this pane, more details will be displayed in the Packet Details and Packet Bytes Panes.
The Packet Details Pane shows the current packet (selected in the Packet List Pane) in a more detailed form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.
The Packet Bytes Pane shows the data of the current packet (selected in the Packet List Pane) in what is known as “hexdump” style. In this subject, this pane will not be examined in detail.
The information captured can be saved in a file. This file can then be opened in Wireshark for analysis sometime in the future without the need to re-capture the same data traffic again. The extension file name of the captured file will be .pcap or .pcapng.
When closing a data capture screen or exiting Wireshark, you are prompted to save the captured PDUs. Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data.
Activity 1, Task 4: Use Wireshark to View PDUs
With the PCs now being able to communicate with each other, you can start capturing Ping packets by following the steps below.
Step 1: Run Wireshark
Set the Capture Options and select the correct network adapter (should be ‘Ethernet’ while using the VMs) to start the data capture right away.
Step 2: Capture Ping packets in Wireshark
Using the command prompt, ping PC2 from PC1 and vice versa.
· From PC1, ping 192.168.1.3
· From PC2, ping 192.168.1.2
After receiving the successful replies to the ping in the command prompt, stop the packet capture by clicking Stop in the Capture menu.
Step 3: Examine the Packet List Pane
The Packet List Pane on Wireshark should now look something like the following figure. Notice how it has been filtered to display ICMP packets only. You may have to also do this if there is a large amount of other traffic present:
Look at the packets listed above; we are interested in the packets that are labelled as “Echo (ping) request” and “Echo (ping) reply” in the Info column.
Locate the equivalent packets on the packet list on your computer. Using the Wireshark Packet List, answer the following questions:
Q1: What protocol is used by ping? What is its full name?
Internet Control Message Protocol (ICMP)
Q2: Are the listed source and destination IP addresses what you expected? (Yes / No)
Answer may vary — Yes, the source address is my computer and the destination is another workstation
Step 4: Select (or highlight) the first “Echo (ping) request” packet on the list
The Packet Detail Pane will now display something similar to the following figure:
Click on each of the packet to expand the information. The Packet Detail Pane will now be similar to the following figure:
As evident here, the details for each section and protocol can be expanded further. Spend some time scrolling through the information. At this point in time, you may not fully appreciate all the information exhibited; as you progress, you will gain more understanding on this later in the semester. Now just make a note of the information you do recognize.
Q3: In Wireshark captures, which two of these following statements are true?
The “Ethernet II (Layer 2)” header along shows the source and destination MAC addresses
The “Ethernet II (Layer 2)” header along shows the source and destination IP addresses
The “Internet Protocol (Layer 3)” header shows the source and destination MAC addresses
The “Internet Protocol (Layer 3)” header shows the source and destination IP addresses
Step 5: Go to the File menu and select Close
Click on Stop and Quit without Saving to end this lab activity.
Lab Activity 2 – Capture packets your home network
Topology Diagram
Figure 1.2 – Connection of VMs to home network
Currently your two VMs are sharing their own private network within VirtualBox. In this activity you are going to bridge the two VMs, so they are directly connected to your home network. Even though both VMs reside on your own machine, they will appear to your network as two individual and separate PCs.
Activity 2, Task 1: Connect Your VMs to your home network
Step 1: Change the network settings from Internal Network to Bridged Adapter
1. From the machine menu of each VM select settings
2. Click on the network icon on the left and change ‘Adapter 1’ from ‘Internal Network’ to ‘Bridged Adapter’. Note: If you are completing this exercise on campus, you will need to select NAT Network (Before you can use NAT network, in Virtual Box click File -> Preferences -> Add new NAT network), as bridged networks are blocked from the QUT network.
3. In the name box, you need to select your Host PC’s physical network adapter that it uses to connect to your home network. This maybe a WiFi adapter, or an ethernet adapter depending on your individual home network setup.
Activity 2, Task 2: Configure the VMs to Obtain an IP address dynamically (automatically assigned by a DHCP server)
In general, when a workstation is connected to the QUT campus network, the workstation obtains its IP address with Dynamic Host Configuration Protocol (DHCP), rather than being configured manually. The same goes for your home network. In most cases, devices will be assigned an IP address from a DHCP server that is running on your modem/router device.
Step 1: Obtain an IP address automatically
1. From both PC1 and PC2, right click on Start then click on Network Connections > Change Adapter Options > select Ethernet > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties.
2. Select Obtain an IPv4 address automatically and Obtain DNS server address automatically > OK > OK.
Step 2: Verify the assigned IP address and test connectivity
Now, your workstation is connected directly to the network and should have already obtained an IP address and other information automatically. Observe the values of your IP addressing information through the following steps
1. On your computer, start the command prompt +R then cmd.exe or Start > Command Prompt.
2. The ipconfig command is used to display the TCP/IP network configuration values in Windows
3. Use the ipconfig command to display the IP addresses of PC1 and PC2. From both PC1 and PC2, type ipconfig /all from the command prompt, and then press the Enter key.
4. Locate the “Ethernet adapter Local Area Connection”. Use Addressing Table 1.2 to record the IP Address, Subnet Mask and Default Gateway from PC1 and PC2.
Addressing Table 1.2 (answers may vary)
Device
Interface
IPv4 Address
Subnet Mask
Default Gateway
PC1
NIC
131.181.110.30
255.255.254.0
131.181.110.1
PC2
NIC
131.181.110.28
255.255.254.0
131.181.110.1
5. Use the ping command to verify that PC1 can reach PC2, and vice versa.
From PC1, type ping PC2-IPv4-Address at the command prompt.
From PC2, type ping PC1-IPv4-Address at the command prompt
Q4: Can you ping each other successfully?
Answer for PC1:
Reply from 131.181.110.28: bytes=32 time<1ms TTL=128
Reply from 131.181.110.28: bytes=32 time<1ms TTL=128
Reply from 131.181.110.28: bytes=32 time<1ms TTL=128
Reply from 131.181.110.28: bytes=32 time<1ms TTL=128
If the ping command fails with an error message, you need to troubleshoot the connectivity problem.
Activity 2, Task 3: Use Wireshark to View Packet Data Units
Repeat the same procedure from activity 1, task 4 to capture ping packets and then examine the data captured with Wireshark. Use the following action guide:
1. Start Wireshark and select the current network adapter or NIC and then start packet capture.
2. Using the command prompt, from PC1 ping PC2 and vice versa.
3. After receiving the successful ping replies, stop the packet capture.
4. Examine the packets that are labelled as “Echo (ping) request” and “Echo (ping) reply” in the Info column. Be sure to filter the traffic to display ICMP packets only if there is a lot of other traffic.
Activity 2, Task 4: Clean up
Exit Wireshark and shutdown the VMs. Continue to proceed to the Reflection section in the next page.
Install Wireshark directly on your PC and try capturing traffic on your local network. Explore and get familiar with Wireshark as this will be essential for later practicals and assessment items.
Reflection
1. List out some common connection problems on a peer-to-peer network.
Wrong IP address assignment; Pinging the wrong IP address; Ethernet cable loses connection; use the wrong type of cable; Workstations powered off.
2. Assume that you have already logged onto the QUT’s network, but unable to access the QUT’s website. List out the possible connectivity problems that could occur.
Physical connection problem, e.g. Ethernet cable connection, NIC card
Logical connection problems, e.g. IP addressing, DNS setting
3. Assume that you are not able to access to QUT Website from your home network. List out the possible connectivity problems that could occur. What approach do you use for troubleshooting?
Physical connection problem, e.g. Ethernet cable connection, NIC card
Logical connection problems, e.g. IP addressing, DNS setting
ISP issue
Home router issue
You may be able to use bottom-up, top-down, divide-and-conquer approach to troubleshoot.
End of Practical 1
13
PC1 PC2
Peer-to-Peer Network